Microsoft Defender 0-Day Flaw Allows Privilege Escalation

A newly discovered zero-day vulnerability in the Microsoft Defender Antimalware Platform has been patched by Microsoft as part of its latest Patch Tuesday security updates.

Disclosed on April 14, 2026, the flaw is tracked as CVE-2026-33825 and carries an “Important” severity rating.

If successfully exploited, this elevation-of-privilege vulnerability allows an attacker to bypass standard permissions and gain full SYSTEM privileges on the affected machine.

Defender 0-Day Vulnerability

The core issue stems from insufficient access-control granularity (CWE-1220) within the Microsoft Defender Antimalware Platform.

This platform consists of user-mode binaries, such as MsMpEng.exe, and kernel-mode drivers designed to protect Windows devices.

Because of the access control weakness, an authorized attacker with basic local access can exploit the flaw to elevate their permissions to the highest level.

Gaining SYSTEM privileges represents a critical threat to organizational security. It allows attackers to turn off security tools, install persistent malware, access sensitive data, and create new accounts with full administrative rights.

According to Microsoft’s CVSS 3.1 scoring, the vulnerability has a base score of 7.8.

Key technical characteristics of the flaw include:

• Attack Vector: Local access is required, meaning the attacker must already have a foothold on the target machine.
• Attack Complexity: Low, making the exploit relatively easy to execute once local access is achieved.
• User Interaction: None required, allowing the exploit to run silently without tricking the user into clicking a link or opening a file.
• Privileges Required: Low, meaning a standard, non-administrative user account is enough to trigger the escalation.

Security researchers Zen Dodd and Yuanpei XU reported the vulnerability to Microsoft. While the technical details of the flaw are publicly disclosed, Microsoft notes that it has not yet been exploited in the wild.

However, the company assesses that exploitation is “More Likely,” meaning threat actors are expected to develop and deploy working exploit code soon.

Interestingly, enterprise vulnerability scanners might flag systems where Microsoft Defender is disabled. This happens because the affected binary files remain on the hard drive.

Microsoft clarifies that systems with disabled Defender are not actually in an exploitable state, though updating is still recommended.

Mitigations

Microsoft frequently updates malware definitions and the underlying platform to protect against emerging threats. In most enterprise environments and for home users, default configurations will automatically download and install these critical updates.

The vulnerability affects platform versions up to 4.18.26020.6 and is fully patched in version 4.18.26030.3011. Organizations and users should manually verify their update status to ensure complete protection.

To check your current version:

• Open the Windows Security application using the Windows search bar.
• Navigate to the Virus & threat protection section.
• Click on Protection Updates and select Check for updates.
• Open Settings, select About, and check the Antimalware Client Version.
• Ensure your version number matches or exceeds 4.18.26030.3011.

Administrators should regularly audit their software distribution tools to confirm that automatic deployments of the Windows Defender Antimalware Platform are functioning correctly across their networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.